Trademarks and Permissions
and other Huawei trademarks are trademarks of Huawei Technologies Co., Ltd.
All other trademarks and trade names mentioned in this document are the property of their respective holders.

Notice
The purchased products, services and features are stipulated by the contract made between Huawei and the
customer. All or part of the products, services and features described in this document may not be within the
purchase scope or the usage scope. Unless otherwise specified in the contract, all statements, information,
and recommendations in this document are provided "AS IS" without warranties, guarantees or representations
of any kind, either express or implied.
The information in this document is subject to change without notice. Every effort has been made in the
preparation of this document to ensure accuracy of the contents, but all statements, information, and
recommendations in this document do not constitute the warranty of any kind, express or implied.

About This Document
Intended Audience
This document describes the commissioning of the basic functions provided by the device in
terms of hardware, software, interconnection, and maintenance and management to ensure that
the device runs in a stable and reliable state. This document describes the configuration
procedures of various services supported by the MA5600T in terms of configuration method
and configuration example.
This document helps to learn the commissioning flows, commissioning methods, and
configuration procedures of various services of the MA5600T.
This document is intended for:
l

Installation and commissioning engineers

l

System maintenance engineers

l

Data configuration engineers

Symbol Conventions
The following symbols may be found in this document. They are defined as follows
Symbol

Description
Indicates a hazard with a high level of risk which, if not
avoided, will result in death or serious injury.

Indicates a hazard with a medium or low level of risk which,
if not avoided, could result in minor or moderate injury.

Indicates a potentially hazardous situation that, if not
avoided, could cause equipment damage, data loss, and
performance degradation, or unexpected results.
Indicates a tip that may help you solve a problem or save
your time.

1.4.2 Commissioning the Interconnection with the Router..............................................................................84
1.4.3 Commissioning the Management Channel Between the OLT and the GPON MDU.............................85
1.4.4 Commissioning the Management Channel Between the OLT and the EPON MDU..............................90
1.4.5 Commissioning the Management Channel Between the OLT and the GPON ONT..............................93
1.4.6 Commissioning the Management Channel Between the OLT and the EPON ONT...............................97
1.5 Maintenance and Management Commissioning.............................................................................................100
1.5.1 Checking the System Switchover..........................................................................................................100
1.5.2 Checking Alarms and Events................................................................................................................101
1.5.3 Configuring a Log Host.........................................................................................................................105
1.6 Supplementary Information............................................................................................................................109
1.6.1 Making a Script.....................................................................................................................................109
1.6.2 Configuring the File Transfer Mode .....................................................................................................110
1.6.3 Software Package Settings.....................................................................................................................117

10 FAQ............................................................................................................................................435
10.1 How to Query the MAC Addresses of the Online Users and the Ports That Provide the Access for the Users
in the MA5600T...................................................................................................................................................436
10.2 How to Resolve the Issue of Unsuccessful Traffic Stream Configuration...................................................436
10.3 How to Calculate the Remaining Bandwidth of a PON Port on the MA5600T...........................................438
10.4 How to Change the Management IP Address and VLAN Remotely...........................................................439
10.5 How to Change the Rate of the User Port in a PON System........................................................................440
10.6 How to Realize the Communication Between Users on the Same Board....................................................440
10.7 How to Select the Matched Hardware for Expanding the Bandwidth of the Upstream Port.......................441
10.8 How to Confirm an Upgraded Board...........................................................................................................442

Generate the client key.
Select SSH-2 RSA as the key type under Parameters, click Generate, and move the cursor
according to the prompt on the interface to generate the client key, as shown in Figure
1-18.
Figure 1-18 Interface of the key generator

Click Save public key and Save private key to save the public key and the private key
respectively after they are generated, as shown in Figure 1-19.

Generate the RSA public key.
Open sshkey.exe, click Browse, and choose the public key file saved in the preceding step.
Then, click Convert to change the client public key to the RSA public key, as shown in
Figure 1-20.

Step 9 Assign the public key to the SSH user.
Run the ssh user assign rsa-key command to assign the RSA public key to the SSH user.
huawei(config)#ssh user huawei assign rsa-key key

Step 10 Log in to the system.
1.

Run the client software.
Run the SSH client software putty.exe, choose SSH > Auth from the navigation tree, and
assign a file for the RSA private key, as shown in Figure 1-21. Click Browse to display
the window for selecting the file. In the window, select the file for the private key, and click
OK.
Figure 1-21 Interface of the SSH client software

2.

Log in to the system.
Choose Session from the navigation tree, and then input the IP address of the MA5600T
in the Host Name (or IP address) field, as shown in Figure 1-22. Then, click Open to log
in to the system.

Figure 1-22 Interface for logging in to the system using the SSH client software

The user authentication mode is set to the RSA authentication mode, and the system
therefore displays the prompt, as shown in Figure 1-23. Input the user name to log in to
the system (here, the user name is huawei).
Figure 1-23 Interface for logging in to the system using the SSH client software

Result
After logging in to the system, you can maintain and manage the MA5600T.

Login Through SSH (Inband Management)
This topic describes how to log in to the MA5600T using the upstream port (inband management
port) in the SSH mode to maintain and manage the MA5600T. The secure shell (SSH) provides
authentication, encryption, and authorization to ensure the network communication security.
When a user logs in to the MA5600T remotely over an insecure network, SSH provides security
guarantee and powerful authentication to protect the MA5600T against attacks such as IP address
spoofing and interception of plain text password.

Prerequisites
Engineers are logged in to the MA5600T by using the local serial port or the ETH port.
NOTE

The default IP address of the maintenance Ethernet port (ETH port on the control board) is 10.11.104.2,
and the subnet mask is 255.255.255.0.

l

For details about how to log in to the MA5600T by using the local serial port, see Login
Through the Local Serial Port.

l

For details about how to log in to the MA5600T by using the ETH port, see the following:
– Configure the IP address of the PC that is used for logging in to the MA5600T. This IP
address is on the same subnet as the IP address of the maintenance Ethernet port but is
not the IP address of the maintenance Ethernet port. For example, configure the IP
address to 10.11.104.6.
– After logging in to the MA5600T, in the MEth mode, run the ip address command to
change the IP address of the device to 10.50.1.10/24.
– Change the IP address of the PC to be on the same subnet as the IP address of the
maintenance Ethernet port but is not the IP address of the maintenance Ethernet port.
For example, change the IP address of the device to 10.50.1.11/24.

Network Topology
Figure 1-24 shows an example network for inband management through SSH in a LAN, and
Figure 1-25 shows an example network for inband management through SSH in a WAN.
Figure 1-24 Example network for inband management through SSH in a LAN

Figure 1-25 Example network for inband management through SSH in a WAN

Data Plan
Table 1-11 and Table 1-12 provide the data plan for the inband management through SSH in a
LAN and in a WAN respectively.
Table 1-11 Data plan for the inband management through SSH in a LAN
Item

1.3.19 Saving the Data
This topic describes how to save the data in the flash memory to prevent data loss in case of
unexpected restart.

Precautions
l

During the command running, the system displays the corresponding prompt. Do not power
off or restart the system before the saving process is complete. Otherwise, the data in the
flash memory may be damaged.

l

Saving the data frequently affects the system performance.

Procedure
Step 1 In the privilege mode, run the save command to save the database file and the configuration file
of the current system in the flash memory.
----End

Result
When the data is saved successfully, the system displays the corresponding prompt.

Example
To save the database file and the configuration file to the flash memory manually, do as follows:
huawei#save
{ <cr>|configuration<K>|data<K> }:
Command:
save
huawei#

It will take several minutes to save configuration file, please wait...
huawei#
Configuration file had been saved successfully
Note: The configuration file will take effect after being activated
huawei#
The data is being saved, please wait a moment...

1.3.20 Backing Up System Files
When the first deployment or upgrade is complete, you need to back up the database file and
the configuration file so that the system can be easily recovered in case of a fault.

Prerequisites
If the maintenance Ethernet port is used to back up the system file, ensure that:
l

The Ethernet port of the maintenance terminal must be connected to the maintenance
Ethernet port on the MA5600T using a crossover cable. In addition, the IP address of the
maintenance terminal and the IP address of the maintenance Ethernet port on the device
must be in the same subnet.

l

The application program that is used for backing up the system file is installed on the
maintenance terminal, such as the TFTP, SFTP, or FTP program. In this topic, the TFTP
program is considered as an example.

Procedure
Step 1 Run the TFTP program on the maintenance terminal, and set the path for saving the backup files.
By default, the backup files are saved to the installation path of the TFTP software.
NOTE

The system supports a system backup using either the serial port or the maintenance Ethernet port. The
backup using the serial port uses the Xmodem protocol, and the backup using the maintenance Ethernet
port uses the TFTP, SFTP, or FTP protocol. For details about the configuration of Xmodem/TFTP/SFTP/
FTP, see Contacting Huawei for Assistance.

Step 2 In the privilege mode, run the save command to save the data.
Step 3 In the privilege mode, run the backup data command to back up the database file.
Step 4 In the privilege mode, run the backup configuration command to back up the configuration
file.
----End

Result
After the backup is completed, you can locate the files backed up in the path that you set.

Example
To back up the database file to the TFTP server (IP address: 10.10.1.2) using TFTP, and name
the file 2009070101.txt, do as follows:
huawei#backup data tftp 10.10.1.2 2009070101.txt

To back up the configuration file to the TFTP server (IP address: 10.10.1.2) using TFTP, and
name the file 2009070102.txt, do as follows:
huawei#backup configuration tftp 10.10.1.2 2009070102.txt

1.4 Interconnection Commissioning
The MA5600T provides multiple interfaces for interconnection. This topic describes the
interconnection commissioning of the MA5600T.

1.4.1 Commissioning the Interconnection with the NMS
The MA5600T provides the function of interconnecting with the network management system,
with which the administrator can maintain and manage the MA5600T using the NMS. This topic
considers the iManager NMS Network Management System as an example to describe how to
perform the interconnection commissioning between the NMS and the MA5600T in the inband
mode and the outband mode.

Commissioning Inband Network Management
This topic describes how to implement the inband network management on the MA5600T using
the upstream port (inband network management port). This enables the NMSto maintain the
MA5600T using this management channel. In the inband network management mode, the service
channel of the device is used to transmit the management information. The network is flexible
and requires no additional devices, which helps save the cost for carriers. This network, however,
is difficult to maintain.

Service Requirements
In the network as shown in Figure 1-34, the service requirements are as follows:
l

The MA5600T provides the inband network management using the upstream port.

l

The upstream port of the GIU board on the MA5600T is used as the inband network
management port.

l

A static route is used between the MA5600T and the NMS.

l

SNMP V3 is used (more reliable than V1 and V2, providing network security and access
control management functions).

If the packet transmitted from the upstream port is untagged, run the native-vlan command to
configure the native VLAN of the upstream port to be the same as the VLAN of the upstream
port.

2.

Add a route for the inband network management.
Use the static route. The destination IP address is 10.10.1.0/24 (the network segment
to which the NMS belongs), and the gateway IP address is 10.50.1.1/24 (the IP address
of the gateway of the MA5600T).
huawei(config)#ip route-static 10.10.1.0 24 10.50.1.1

The user name is user1, the group name is group1, the user authentication mode
is MD5, the authentication password is authkey123, the user encryption mode
is des56, the encryption password is prikey123, the read and write view names
are hardy, and the view includes the internet subtree.
huawei(config)#snmp-agent usm-user
authentication-mode md5 authkey123
huawei(config)#snmp-agent group v3
write-view hardy
huawei(config)#snmp-agent mib-view

(Optional) Set the ID and contact means of the administrator.
The contact means of the administrator is HW-075528780808.
huawei(config)#snmp-agent sys-info contact HW-075528780808

c.

(Optional) Set the location of the device.
The location of the device is Shenzhen_China.
huawei(config)#snmp-agent sys-info location Shenzhen_China

d.

(Optional) Configure the engine ID of the SNMP entity.
The engine ID of the SNMP entity is set to 0123456789.
NOTE

The context engine ID of the SNMP must be the same as that on the NMS.
huawei(config)#snmp-agent local-engineid 0123456789

e.

Set the SNMP version.
The SNMP version is SNMP V3.
NOTE

The SNMP version must be the same as the SNMP version set on the NMS.
huawei(config)#snmp-agent sys-info version v3

4.

Enable the function of sending traps.
On the MA5600T, enable the function of sending traps to the NMS.
huawei(config)#snmp-agent trap enable standard

5.

Configure the IP address of the destination host for the traps.
The host name is huawei, the IP address of the host is 10.10.1.10/24 (IP address of
the NMS), the trap parameter name is ABC, the SNMP version is V3, the parameter
security name is user1 (when the SNMP V3 is used, the parameter security name is
the USM user name), and the traps are authenticated and encrypted.
huawei(config)#snmp-agent target-host trap-hostname huawei
address 10.10.1.10 trap-paramsname ABC
huawei(config)#snmp-agent target-host trap-paramsname
ABC v3 securityname user1 privacy

6.

Configure the IP address of the VLAN interface as the source address for sending
traps.
Enable the forwarding of the SNMP packets from the Layer 3 interface of VLAN 1000
of the MA5600T.
huawei(config)#snmp-agent trap source vlanif 1000

7.

Save the data.
huawei(config)#save

l

Commission the inband network management on the NMS.
1.

Configure the gateway of the route from the NMS server to network segment
10.50.1.0/24 to 10.10.1.1.
– In the Solaris OS, do as follows:

Run the route add 10.50.1.0 10.10.1.1 command to add a route.
Run the netstat -r command to query the information about the current routing
table.
– In the Windows OS, do as follows:
Run the route add 10.50.1.0 mask 255.255.255.0 10.10.1.1 command to add a
route.
Run the route print command to query the information about the current routing
table.
NOTE

When the IP address of the network management port and the IP address of the NMS are in
the same network segment, you need not configure the routing information.

On the NE Access Parameters tab page, click Reset. In the dialog box that is
displayed, click the corresponding tab, and then click Add.

c.

Choose SNMP v3 Parameter, set the SNMP parameters in the lower pane, as
shown in Figure 1-36.

Figure 1-36 Set the SNMP parameters

After selecting corresponding protocols in Priv Protocol and Auth Protocol,
click
next to the parameter, and set the passwords of data encryption protocol
and authentication protocol, as shown in Figure 1-37.

NE User, Context Engine ID, Priv Protocol and password, and Auth Protocol and
password must be the same as those configured on the MA5600T. You can run the display
snmp-agent usm-user command to query the device user, data encryption protocol, and
authentication protocol on the MA5600T and run the display snmp-agent localengineid command to query the context engine ID on the MA5600T.

3.

d.

Click OK.

e.

Select the added SNMP parameters. Click OK.

f.

In the dialog box that is displayed, click Yes to test the set SNMP parameters.

g.

The NMS displays the Loading dialog box. After the testing is complete, click
OK.

Add a device.
a.

In the Physical Root navigation tree on the Main Topology tab page, right-click
and choose New > NE from the shortcut menu.

b.

In the dialog box that is displayed, choose Access NE > Access NE from the
main menu.

c.

In the dialog box that is displayed, set the required parameters, as shown in
Figure 1-38.
IP address is 10.50.1.10, Device Name is huawei, SNMP Parameters is SNMP
V3:default.

Click OK. The system prompts a message indicating that several seconds or some 10
minutes are required for uploading the device data. After the related data is read, the
system automatically refreshes and displays the device icon.

Commissioning Outband Network Management
This topic describes how to implement the outband network management on the MA5600T using
the local maintenance Ethernet port (outband network management port). This enables the
U2000 to maintain the MA5600T using this management channel. In the outband network
management mode, a non-service channel is used to transmit the management information. With
the use of the non-service channel, the management channel is separated from the service
channel, which is more reliable than in the inband network management mode.

Service Requirements
In the network as shown in Figure 1-39, the service requirements are as follows:
l

The MA5600T provides the outband network management channel using the local
maintenance Ethernet port.

l

A static route is used between the MA5600T and the NMS.

l

SNMP V3 is used (more reliable than V1 and V2, providing network security and access
control management functions).

Figure 1-39 Example network for the outband network management

Figure 1-40 shows the flowchart for commissioning the outband network management on the
device.

About This Chapter
Basic configurations mainly include certain common configurations, public configurations, and
pre-configurations in service configurations. There is no obvious logical relation between basic
configurations. You can perform basic configurations according to actual requirements.
2.1 Configuring the License Function
With the license platform enabled, the license server performs license control on the function
entries and resource entries supported by the MA5600T and provides customized services for
users.
2.2 Configuring Alarms
Alarm management includes the following functions: alarm record, alarm setting, and alarm
statistics. These functions help you to maintain the device and ensure that the device works
efficiently.
2.3 Configuring the Network Time
Configuring the NTP protocol to keep the time of all devices in the network synchronized, so
that the Background Information implement various service applications based on universal
time, such as the network management system and the network accounting system.
2.4 Adding Port Description
After the description of a physical port on the board is added, the description facilitates
information query in system maintenance.
2.5 Configuring the Attributes of an Upstream Ethernet Port
This topic describes how to configure the attributes of a specified Ethernet port so that the system
communicates with the upstream device in the normal state.
2.6 Configuring a VLAN
Configuring VLAN is a prerequisite for configuring a service. Hence, before configuring a
service, make sure that the VLAN configuration based on planning is complete.
2.7 Configuring a VLAN Service Profile
Integrate VLAN-related configurations into the VLAN service profile so that all attributes take
effect immediately after the VLAN service profile is bound to the VLAN. This increases the
configuration efficiency.
2.8 Configuring the User Security
Issue 01 (2012-01-18)

Configuring the security mechanism can protect operation users and access users against user
account theft and roaming or from the attacks from malicious users.
2.9 Configuring System Security
This topic describes how to configure the network security and protection measures of the system
to protect the system from malicious attacks.
2.10 Configuring the ACL
This topic describes the type, rule, and configuration of the ACL on the MA5600T.
2.11 Configuring QoS
This topic describes how to configure quality of service (QoS) on the MA5600T.
2.12 Configuring AAA
This topic describes how to configure the AAA on the MA5600T, including configuring the
MA5600T as the local and remote AAA servers.
2.13 Configuring ANCP
Access Node Control Protocol (ANCP) is used to implement the functions such as topology
discovery, line configuration, and L2C OAM on the user ports. The MA5600T establishes an
ANCP session according to the GSMP communication IP address configured in the network
access server (NAS).

2.1 Configuring the License Function
With the license platform enabled, the license server performs license control on the function
entries and resource entries supported by the MA5600T and provides customized services for
users.

Prerequisites
The license platform must be enabled.

Application Context
The license platform provides the registration mechanism for the service modules of the
MA5600T. During system initialization, the service modules need to register for the controlled
resource entries or the controlled function entries. After the system starts to work, based on the
controlled entries that are registered, the license client management module obtains the
authentication information about the license controlled entries of the MA5600T from the license
server.
When a service module is configured through the command line interface (CLI) or NMS, the
device checks whether the resource entries of the service module or the function entries of the
service module are overloaded.
l

If overload occurs, the system quits the service configuration and displays a prompt of
insufficient license resources.

l

If overload does not occur, the system allows the user to continue configuring and using
the service. When the service configuration is deleted, the system automatically releases
the license resources occupied by the service configuration.

Background Information
l

The MA5600T adopts the network license solution, that is, a license server is deployed in
the network. In this case, each MA5600T is like a license client, and the licenses of all the
clients are managed by the license server in a centralized manner.

l

In the management scope of the license server (generally a region or a city), each product
has only one license file that is stored on the license server. The resources of the product
that are controlled by the license are defined by the license file. Because one license server
can manage multiple products, multiple license files can be stored on one license server.

Precautions
If you need to use the license function supported by the MA5600T, be sure to consider the
deployment of the license server in network planning.

Procedure
Step 1 Configure the interface that is for communicating with the license server.
1.

Run the vlan command to create a VLAN.

2.

Run the port vlan command to add an upstream port to the VLAN.

3.

(Optional) Run the native-vlan command to configure the default VLAN of the upstream
port.

Whether the native VLAN needs to be set for the upstream port depends on whether the
upper-layer device connected to the upstream port supports packets carrying a VLAN tag.
The setting on the MA5600T must be the same as that on the upper-layer device.
4.

Run the ip address command to configure the IP address of the VLAN L3 interface so that
the IP packets in the VLAN are forwarded by using this IP address.

5.

Run the ip route-static command to configure the static route to the license server.

Step 2 Run the license esn command to configure the ESN of the device.
Each client of the license server is uniquely identified by the ESN. The ESN should be configured
if the user enables the license function. The ESN can be the NMS IP address of the device or
the IP address of the VLAN L3 interface.
Step 3 Run the license server command to configure the license server.
If the user enables the license function, configure the IP address and TCP port ID of the license
server so that the license server can communicate with the client.
Step 4 Run the display license info command to query the communication status between the device
and the license server.
----End

2.2 Configuring Alarms
Alarm management includes the following functions: alarm record, alarm setting, and alarm
statistics. These functions help you to maintain the device and ensure that the device works
efficiently.

Background Information
An alarm refers to the notification of the system after a fault is detected. After an alarm is
generated, the system broadcasts the alarm to the terminals, mainly including the NMS and
command line interface (CLI) terminals.
Alarms are classified into fault alarm and recovery alarm. After a fault alarm is generated at a
certain time, the fault alarm lasts till the fault is rectified to clear the alarm.
You can modify the alarm settings according to your requirements. The settings are alarm
severity, alarm output mode through the CLI and alarm statistics switch.
Issue 01 (2012-01-18)

When managing alarms on the GUI through the NMS, you can set filtering criteria to mask
unimportant alarms and events. Such filtering function facilitates the focus of the important
alarms and eliminates the load of the NMS.

Procedure
l

You can run the alarm active clear command to clear the alarms that are not recovered in
the system.
– When an active alarm lasts a long time, you can run this command to clear the alarm.
– Before clearing an alarm, you can run the display alarm active command to query the
currently active alarms.

l

Run the alarm alarmlevel command to configure the alarm level.
– Alarm levels are critical, major, minor, and warning.
– Parameter default indicates restoring the alarm level to the default setting.
– You can run the display alarm list command to query the alarm level.
– The system specifies the default (also recommended) alarm level for each alarm. Use
the default alarm level unless otherwise required.

l

Run the alarm jitter-proof command to configure the alarm jitter-proof function and the
jitter-proof period.
– To prevent a fault alarm and its recovery alarm from being displayed frequently, you
can enable the alarm jitter-proof function to filter alarms in the system.
– After the alarm jitter-proof function is enabled, the alarm in the system is not reported
to the NMS immediately but is reported to the NMS after an alarm jitter-proof period.
– If an alarm is recovered in an alarm jitter-proof period, the alarm is not reported to the
NMS.
– You can run the display alarm jitter-proof command to check whether the alarm jitterproof function is enabled and whether the alarm jitter-proof period is set.
– By default, the alarm jitter-proof function is disabled. You can determine whether to
enable the function according to the running of the device.

l

Run the (undo) alarm output command to set or shield the output of alarms to the CLI
terminal.
– Setting the output mode of alarms does not affect the generating of alarms. The alarms
generated by the system are still recorded. You can run the display alarm history
command to query the alarms that are shielded.
– When the new output mode of an alarm conflicts with the previous mode, the new output
mode takes effect.
– The output mode of the recovery alarm is the same as the output mode of the fault alarm.
When the output mode of the fault alarm is set, the system automatically synchronizes
the output mode of its recovery alarm. The reverse is also applicable.

l

Run the alarm-event statistics period command to set the alarm statistics collection
period.
– You can use the statistical result of alarms and events to locate a problem in the system.
– You can run the display alarm statistics command to query the alarm statistical record.

Run the display alarm statistics command to query the alarm statistical record.
– When you need to know the frequency in which one alarm occurs within a time range,
and to know the working conditions of the device and analyze the fault that may exist,
run this command.
– Currently, you can query the alarm statistics in the current period and previous period
in the system.

l

Run the trap filter alarm condition command to filter alarms that the device reports to
the NMS through traps.
The filtering criteria can be alarm ID, alarm severity, alarm type, subrack ID, subrack ID/
slot ID, subrack ID/slot ID/port ID, VLAN interface, and NE.
To reduce alarms and avoid alarm storms, the system does not send alarms of some ONTs
to the NMS. To query the filtering criteria of alarms and events in the system, run the
display trap filter command.

l

In FTTH scenarios, you can configure the ONT alarm policy profile to configure alarms
for different service policies.
1.

Create an ONT alarm policy profile.
Run the ont-alarm-policy command to create an ONT alarm policy profile.
The system supports a maximum number of 16 alarm policy profiles. The default
alarm policy profile is profile 0.
It is recommended that you configure different alarm policies for VIP and common
users.

2.

Configure attributes of the ONT alarm policy profile.
Run the alarm filter command to configure the control function of each alarm of the
profile.
Run the commit command to save the configuration.
Run the display ont-alarm-policy command to query attributes of the ONT alarm
policy profile.

3.

Bind the ONT to the ONT alarm policy profile.
Run the ont alarm-policy command to bind the ONT to the ONT alarm policy profile
so that the PON board can control whether to send the ONT alarm information.
During ONT adding or confirmation, the system binds the ONT to the default ONT
alarm policy profile 0.

----End

Example
Assume the following configurations: The output of all alarms at level warning is shielded to
the CLI terminal, the alarm jitter-proof function is enabled, the alarm jitter-proof period is set
to 15s, the level of alarms with IDs 0x0a310021 and 0x2e314021 are modified to critical, do as
follows:
huawei(config)#undo alarm output alarmlevel warning
huawei(config)#alarm jitter-proof on

To mask the online and offline alarm of the ONT (alarm IDs 0x2e11a00b and 0x2e12a00b) so
that normal operations are not affected by too many alarms, do as follows:
huawei(config)#undo alarm output alarmid 0x2e11a00b
huawei(config)#undo alarm output alarmid 0x2e12a00b

To create ONT alarm policy profile 10, filter the following alarms, and bind this profile to GPON
ONT 1 connected to port 0/3/0, do as follows:
l

0x2e112003 (The signal degrade of ONTi (SDi) occurs)

l

0x2e112004 (The signal fail of ONTi (SFi) occurs)

l

0x2e112006 (The loss of frame of ONTi (LOFi) occurs)

l

0x2e313015 (The hardware of the ONT is faulty)

l

0x2e313016 (The ONT switches to the standby battery)

l

0x2e313017 (The standby battery of the ONT is lost)

l

0x2e313018 (The standby battery of the ONT cannot be charged)

l

0x2e313019 (The voltage of the standby battery of the ONT is too low)

l

0x2e31301a (The shell of the ONT is opened)

l

0x2e313024 (The loss of signals occurs on the ethernet port of the ONT)

2.3 Configuring the Network Time
Configuring the NTP protocol to keep the time of all devices in the network synchronized, so
that the Background Information implement various service applications based on universal
time, such as the network management system and the network accounting system.

RFC defines the structures, arithmetics, entities and protocols used in the implementation
of NTP.
l

NTP is developed from the time protocol and the ICMP timestamp message protocol, with
special design on the aspects of accuracy and robustness.

l

NTP runs over UDP with port number as 123.

l

Any local system that runs NTP can be time synchronized by other clock sources, and also
act as a clock source to synchronize other clocks. In addition, mutual synchronization can
be done through NTP packets exchanges.

NTP is applied to the following situations where all the clocks of hosts or routers in a network
need to be consistent:
l

In the network management, an analysis of log or debugging information collected from
different routers needs time for reference.

l

The charging system requires the clocks of all devices to be consistent.

l

Completing certain functions, for example, timing restart of all the routers in a network
requires the clocks of all the routers be consistent.

l

When several systems work together on the same complicate event, they have to take the
same clock for reference to ensure correct implementation order.

l

Incremental backup between the backup server and clients requires clocks on them be
synchronized.

When all the devices on a network need to be synchronized, it is almost impossible for an
administrator to manually change the system clock by command line. This is because the work
load is heavy and clock accuracy cannot be ensured. NTP can quickly synchronize the clocks
of network devices and ensure their precision.
There are four NTP modes: server/client, peer, broadcast and multicast modes. The MA5600T
supports all these modes.

2.3.1 (Optional) Configuring NTP Authentication
This topic describes how to configure NTP authentication to improve the network security and
prevent unauthorized users from modifying the clock.

Prerequisites
Before configuring the NTP client/server mode, make sure that the network interface and the
routing protocol of the MA5600T are configured so that the server and the client are reachable
to each other at the network layer.

Background Information
In certain networks that have strict requirements on security, enable NTP authentication when
running the NTP protocol. Configuring NTP authentication is classified into configuring NTP
authentication on the client and configuring NTP authentication on the server.

Precautions
l

If NTP authentication is not enabled on the client, the client can synchronize with the server,
regardless of whether NTP authentication is enabled on the server.

l

If NTP authentication is enabled, a reliable key should be configured.

l

The configuration of the server must be the same as that of the client.

l

When NTP authentication is enabled on the client, the client can pass the authentication if
the server is configured with the same key as that of the client. In this case, you need not
enable NTP authentication on the server or declare that the key is reliable.

l

The client synchronizes with only the server that provides the reliable key. If the key
provided by the server is unreliable, the client does not synchronize with the server.

l

The flow of configuring NTP authentication is as follows: start->enable NTP
authentication->configure the reliable NTP authentication key->declare the reliable key>end.

Procedure
Step 1 Run the ntp-service authentication enable command to enable NTP authentication.
Step 2 Run the ntp-service authentication-keyid command to set an NTP authentication key.
Step 3 Run the ntp-service reliable authentication-keyid command to declare that the key is reliable.
----End

Example
To enable NTP authentication, set the NTP authentication key as aNiceKey with the key number
42, and then define key 42 as a reliable key, do as follows:
huawei(config)#ntp-service authentication enable
huawei(config)#ntp-service authentication-keyid 42 authentication-mode md5 aNice
Key
huawei(config)#ntp-service reliable authentication-keyid 42

A protection group works in either of the following modes:
1. Port status detection mode.
l Two ports of the protection group or the transmit ports on two boards are enabled. You can
determine whether to perform a switchover according to the port status.
l When the number of ports that are in the up state on the standby board is larger than the number
of ports that are in the up state on the active board, a switchover is triggered.
2. Time delay detection mode.
l Only one transmit port of the protection group is enabled, and the other is disabled.
l When the enabled transmit port is in the down state, disable the transmit port and enable the other
transmit port.
l If the second port is in the up state, a switchover is performed. Otherwise, the detection continues.

Procedure
l

Configure redundancy backup for the uplink by configuring an aggregation group.
1.

Create an Ethernet port aggregation group.
Run the link-aggregation command to add multiple upstream Ethernet ports to the
same aggregation group to implement protection and load balancing between ports.
When configuring port aggregation, note that the SCU board does not support interboard aggregation. When you run the link-aggregation command, if frameid/slotid
is entered twice, inter-board aggregation is configured; if frameid/slotid is entered
only once, intra-board aggregation is configured.

2.

(Optional) Add members to the aggregation group.
Run the link-aggregation add-member command to add an Ethernet port to an
existing aggregation port to increase the bandwidth of the aggregation port and
improves the link reliability.
NOTE

This step is optional and is recommended if you need to further increase the bandwidth of an
aggregation group or improve the link reliability.

3.

l

Query the information about the aggregation group.
Run the display link-aggregation command to query the types, number, and working
modes of aggregated Ethernet ports.

Create an upstream port protection group.
In the protect mode, run the protect-group command to create an upstream port
protection group. After the protection group is configured successfully, the system
switches the service over to the standby port to protect the uplink if the connection
between the active port and the upper-layer device is broken.
When running the protect-group to create a protection group, if frameid/slotid/
portid is entered, a port-level protection group is created; if frameid/slotid is entered,
a board-level protection group is created.

1. When working in the load balancing mode, the SCUN board supports the board-level protection
of the control board.
2. When supporting the board-level protection of the control board, the SCUB or SCUN board can
work in only the port status detection mode.

2.

Query the information about the protection group.
Run the display protect-group command to query the information about the
protection group and all the members in the protection group.

----End

Example
Assume the following configurations: The MA5600T transmits services upstream through the
GIU board, upstream ports 0/17/0 and 0/17/1 on the same GIU board are configured as an
upstream port aggregation group, packets are distributed to the member ports of the aggregation
group according to the source MAC address, and the working mode is the LACP static
aggregation mode. To perform these configurations, do as follows:
huawei(config)#link-aggregation 0/17 0-1 ingress workmode lacp-static

Assume the following configurations: The MA5600T transmits services upstream through the
GIU board, upstream ports 0/17/0 and 0/18/0 on the same GIU board are configured as an interboard aggregation group, packets are distributed to the member ports of the aggregation group
according to the source MAC address and destination MAC address, and the working mode is
the LACP static aggregation mode. To perform these configurations, do as follows:
huawei(config)#link-aggregation 0/17 0 0/18 0 egress-ingress workmode lacp-static

Assume the following configurations: The MA5600T transmits services upstream through the
GIU board, upstream ports 0/17/0 and 0/17/1 on the same GIU board are configured as an
upstream port protection group, port 0/17/0 functions as the active port, port 0/17/1 functions as
the protection port, the working mode is the delay detection mode, and enable the protection
group function. To perform these configurations, do as follows:
huawei(config-protect)#protect-group first 0/17/0 second 0/17/1 eth workmode
timedelay enable

When the MA5600T is configured with only one SCUN board, to configure the SCUN board
and the GIU slot as an inter-board aggregation group, distribute packets to each member port
according to the source MAC address, and configure the working mode to LACP static
aggregation, do as follows:
huawei(config)#link-aggregation 0/9 0-3 0/20 0-1 ingress workmode lacp-static

8.3 Configuring the Smart Link Redundancy Backup
The smart link is a solution that is applied in the network with dual uplinks and provides reliable
and efficient backup and quick switching for the dual uplinks. The solution provides high
reliability for carriers' network.

Background Information
Thus, the smart link solution is applied to the access network. With this solution, redundancy
backup for active and standby links and quick switching are implemented for a dual homing
network. This ensures high reliability and quick convergence. Meanwhile, as a supplementary
Issue 01 (2012-01-18)

to the smart link solution, the monitor link solution is introduced to monitor uplinks. This
improves the backup function of the smart link solution.
The smart link and monitor link feature, which is applied to the scenario of a network with dual
uplinks (the network is connected to the upstream IP network through dual uplinks), is related
to the OLT and the upstream network device. The upstream network device such as the router
must support the smart link and monitor link feature.
NOTE

The smart link and monitor link feature is put forth by Huawei. Currently, only Huawei devices support this
technology.

Smart link-related concepts:
l

Smart link protection group
A smart link group contains up to two ports, namely one master port and one slave port. In
normal conditions, only one port is in the active state, and the other port is blocked and in
the standby state. When the port in the active state fails, the smart link group automatically
blocks the port, and switches the previously standby port to the active state.

l

Master port
The master port, which is also called the work port, is a port role in a smart link group.
When both ports are in the standby state, the master port takes priority to switch to the
active state.

l

Slave port
The slave port, which is also called the protection port, is a port role in the smart link group.
When both ports are in the standby state, the master is prevailed upon to switch to the active
state, and the slave port remains in the standby state.

l

Flush packet
After link switching occurs on the smart link group, the original forwarding entry is not
applicable to the network with new topology, and the upstream convergence device needs
to update the MAC and ARP entries. In this case, the smart link group notifies the other
devices in the network of updating the address table through sending the notification packet.
This notification packet is the flush packet.

Monitor link-related concepts:
l

Monitor link group
A monitor link group is composed of one uplink and several downlinks.

l

Uplink
When the uplink in a monitor link group fails, it indicates that the monitor link group fails.
In this case, the downlinks in the monitor link group will be blocked by force.

l

Downlink
When a downlink in a monitor link group fails, it does not affect the uplink or the other
downlinks.

A smart link can work in either the active/standby mode or the load balancing mode. The
differences are as follows:
l

In the active/standby mode, both ports are enabled. Only the master port is in the active
state and can forward data. The slave port is blocked and is in the standby state.

l

In the load balancing mode, both ports are enabled. If both ports work in the normal state,
the data is forwarded through both ports, implementing load balancing.

Run the protect-group command to create a smart link protection group. The protection
group works in either the active/standby mode or the load balancing mode.
NOTE

l When configuring a smart link protection group, set the protected object to eth-nni-port. Working
modes of other types do not support the smart link feature.
l Keyword smart-link: Indicates the smart-link active and standby mode. In this mode, both members
in the PG are enabled, but only the active member forwards data.
l Keyword smart-link load-balance: Indicates the smart-link load balancing mode. In this mode, both
links are enabled to share load to improve the usage ratio of the line.

2.

Run the protect-group member command to add members to a smart link protection
group.
When adding members to the protection group, add a working member, and then add a
protection member.

3.

Run the protect-group enable command to enable the smart link protection group.
After a protection group is created, the protection group is in the disabled state by default.
You should enable the protection group to make the configuration take effect.

4.

Query the information about the protection group.
Run the display protect-group command to query the information about the protection
group and all the members in the protection group.

Step 2 Configure the flush packet sending mode.
After service switching occurs on a protection group, the original forwarding entry is not
applicable to the new network, and the entire network needs to update the MAC and ARP entries.
In this case, the protection group sends flush packets to other devices to notify them of updating
the MAC and ARP entries.
1.

2.

Run the flush send command to configure the flush packet sending parameters of the
protection group, including the control VLAN and the password.
a.

If the flush packet sending parameters are not configured, no flush packet is sent when
switching occurs on the protection group.

b.

If the protection group is not in the control VLAN, no flush packet is sent.

c.

The peer device must support receiving flush packets, and the flush packet receiving
function of the corresponding port must be enabled.

Run the display flush receive command to query the port that receives flush packets and
the flush packet receiving parameters.

Step 3 (Optional) Run the load-balance instance command to configure the load balancing parameters
of a protection group.
Load balancing parameters determine that the working member and protection member carry
different STP instances. Because VLANs are mapped to STP instances, the load balancing
parameters in practice determine through which port (working member or protection member)
the packets with different VLAN tags are transmitted.
NOTE

Configure the load balancing parameters only when the specified smart link protection group works in the load
balancing mode.

l This command is used to configure STP instances that are carried by the protection member.
The instances that are unconfigured are carried by the working member.
l The load balancing parameters of a protection group are based on STP instances preconfigured. You can run the instance vlan command to map VLANs to STP instances.
Step 4 (Optional) Configure a monitor link group.
The monitor link group and the smart link protect group are generally used together for
monitoring the uplink and completing the smart link redundancy.
NOTE

1. Generally, the monitor link group is configured on the upper-layer device (such as a router) that is
interconnected with the OLT, subtended to the smart link protection group.
2. You need to configure the monitor link on the MA5600T for monitoring the uplink of the subtended OLT
only when the MA5600T functions as an upper-layer device interconnecting with the OLT. Otherwise, the
configuration is meaningless.

1.

Run the monitor-link group command to create a monitor link group, and enter the monitor
link group mode.
A monitor link group consists of one upstream port and multiple downstream ports. When
the upstream port is faulty, the downstream ports are disabled. Thus, the downstream
devices can detect the link fault and switch the services to a normal link.

2.

Run the member port command to add members to a monitor link group.
l The uplink of a monitor link group can be a common Ethernet port, the master port of
a protection group, or the master port of an aggregation group.
l The downlink of a monitor link group can be only a common Ethernet port.

3.

Run the display monitor-link group command to query the information about the monitor
link group.

----End

Example
Assume the following configurations: The MA5600T implements dual uplinks through the
GIU board, upstream ports 0/17/0 and 0/17/1 on the GIU board are added as members of smart
link protection group 2, port 0/17/0 functions as the working port, port 0/17/1 functions as the
protection port, the working mode is the load balancing mode, where,
l

The STP instance 1 (mapping to VLAN 100-110) is carried by the working member.

l

The STP instance 2 (mapping to VLAN 120-130) is carried by the protection member.

l

The control VLAN of flush packets is VLAN 10, and the password is abc.

8.4 Configuring the MPLS Service Board Redundancy
Backup
This topic describes how to configure 1+1 redundancy backup for the MPLS service board. In
this way, when the MPLS service board is faulty, the service is not affected.

Context
Only MPLS boards of the same type support redundancy backup.

Procedure
Step 1 Create a protection group.
Run the protect-group command to a protection group that protects the service processing
board.
l Configure protect-target to service-process-board.
l The working mode of the MPLS service board protection group can be only boardstate.
Step 2 Add members to the protection group.
Run the protect-group member command to add members to a protection group.
l When adding members to the protection group, add a working member, and then add a
protection member.
l Adding a protection group member based on the port is not supported for the MPLS service
board, and only adding a protection group member based on the board is supported.
Step 3 Enable the protection group.
Run the protect-group enable command to enable the protection group. After a protection group
is created, the protection group is in the disabled state by default. You should enable the
protection group to make the configuration take effect.
Step 4 Query the information about the protection group.
Run the display protect-group command to query the information about the protection group
and all the members in the protection group.
----End

Example
To configure redundancy back for MPLS boards in slots 0/4 and 0/5 of the MA5600T so that
when the service board in slot 0/4 fails, the system can automatically switch the services to the
service board in slot 0/5.
huawei(config)#protect-group 1 protect-target service-process-board workmode
boardstate
huawei(protect-group-1)#protect-group member board 0/4 role work
huawei(protect-group-1)#protect-group member board 0/5 role protect
huawei(protect-group-1)#protect-group enable

8.5 Configuring GPON Type B Protection
Type B protection is to configure 1+1 redundancy backup of different GPON ports on
MA5600T. In this way, when a GPON port is faulty, automatic switching is performed and the
services are not affected.

Background Information
The GPON port supports redundancy backup on the same board and the redundancy on different
boards. The differences are as follows:
l

Port redundancy backup on the same board does not require extra GPON service board,
which saves hardware resources. In case that the GPON service board fails, however, the
services on the entire board are interrupted.

l

Port redundancy backup on the different boards requires an independent standby GPON
service board, which increases the hardware cost. In the case that the active GPON service
board fails, however, the services can be automatically switched over to the GPON ports
on the standby board, and the service access is not affected.
NOTE

Only GPON boards of the same type support inter-board redundancy backup.

After Type B protection is configured, service configuration on the ONU is the same as that
before Type B protection is configured. That is, service configuration is applied to the active
GPON port only.
Figure 8-1 shows the Type B protection network topology.
Figure 8-1 Type B protection network topology

Procedure
Step 1 Create a GPON port protection group.
Run the protect-group command to add a protection group that protects the ports on the GPON
access side.
NOTE

1. Configure protect-target to gpon-uni-port.
2. The working mode of the GPON port protection group can be only timedelay.

Run the protect-group member command to add members to a protection group.
NOTE

l When adding members to the protection group, add a working member, and then add a protection member.
l Adding a protection group member based on the board is not supported for the GPON port, and only adding
a protection group member based on the port is supported.
l The member ports can be ports on different GPON boards, but the GPON board types must be the same.

Step 3 Enable the protection group.
Run the protect-group enable command to enable the GPON protection group. After a
protection group is created, the protection group is in the disabled state by default. You should
enable the protection group to make the configuration take effect.
Step 4 Query the information about the protection group.
Run the display protect-group command to query the information about the protection group
and all the members in the protection group.
NOTE

The GPON protection group supports the binding to a PPPoE single-MAC address pool. When the PPPoE singleMAC address function is enabled, run the bind mac-pool single-mac command to bind a GPON protection
group to a PPPoE single-MAC address. If the GPON protection group is not bound to the PPPoE source MAC
address, when the GPON protection group is switched over, the PPPoE service carried on this port is interrupted.
In this case, you must re-dial and determine the service interruption time according to the BRAS configuration.
This may fail to meet the switchover performance requirement that the service interruption time must not exceed
50 ms.

----End

Example
To configure redundancy backup for ports 0/4/0 and 0/4/1 on the same GPON board of the
MA5600T so that when port 0/4/0 is faulty, the system can automatically switch the service to
port 0/4/1 to continue service access, do as follows:
huawei(config)#protect-group 0 protect-target gpon-uni-port workmode timedelay
huawei(protect-group-0)#protect-group member port 0/4/0 role work
huawei(protect-group-0)#protect-group member port 0/4/1 role protect
huawei(protect-group-0)#protect-group enable

To configure inter-board redundancy backup for ports 0/5/1 and 0/6/1 on different GPON boards
of the MA5600T so that when port 0/5/1 is faulty, the system can automatically switch the service
to port 0/6/1 to continue service access, do as follows:
huawei(config)#protect-group 0 protect-target gpon-uni-port workmode timedelay
huawei(protect-group-0)#protect-group member port 0/5/1 role work
huawei(protect-group-0)#protect-group member port 0/6/1 role protect
huawei(protect-group-0)#protect-group enable

8.6 Configuring EPON Type B Protection
This topic describes how to configure 1+1 redundancy backup for the EPON service board. After
1+1 redundancy backup is configured, services will not be affected when the EPON service
board is faulty.

Background Information
The EPON port supports redundancy backup on the same board and redundancy on different
boards. The differences are as follows:
Issue 01 (2012-01-18)

Port redundancy backup on the same board does not require an extra EPON service board,
which saves hardware resources. If the EPON service board fails, however, services carried
on the entire board will be interrupted.

l

Port redundancy backup on different boards requires an independent standby EPON service
board, which increases the hardware cost. In the case that the active EPON service board
fails, however, the services can be automatically switched over to the EPON ports on the
standby board, and the service access will not be affected.
NOTE

Only the same type of EPON boards support inter-board redundancy backup.

Procedure
Step 1 Create an EPON port protect group.
Run the protect-group command to a protect group that protects the ports on the EPON access
side.
NOTE

1. Configure protect-target to epon-uni-port.
2. The working mode of the EPON port protect group can be only timedelay.

Step 2 Add members to the protect group.
Run the protect-group member command to add members to a protect group.
NOTE

l When adding members to the protect group, add a working member, and then add a protection member.
l Adding a protect group member based on the board is not supported for the EPON port, and only adding a
protect group member based on the port is supported.
l The member ports can be ports on different EPON boards, but the EPON board types must be the same.

Step 3 Enable the protect group.
Run the protect-group enable command to enable the smart link protect group. After a protect
group is created, the protect group is in the disabled state by default. You need to enable the
protect group to make the protect group take effect.
Step 4 Query the information about the protect group.
Run the display protect-group command to query the information about the protect group and
all the members in the protect group.
NOTE

The EPON protect group supports the binding to a PPPoE single-MAC address pool. When the PPPoE singleMAC address function is enabled, run the bind mac-pool single-mac command to bind an EPON protect group
to a PPPoE single-MAC address. If the EPON protect group is not bound to the PPPoE source MAC address,
when the EPON protect group is switched over, the PPPoE service carried on this port is interrupted. In this
case, you must re-dial and determine the service interruption time according to the BRAS configuration. This
may fail to meet the switchover performance requirement that the service interruption time must not exceed 50
ms.

----End

Example
To configure redundancy backup for ports 0/4/0 and 0/4/0 on the same EPON board of the
MA5600T so that when port 0/4/0 is faulty, the system can automatically switch the service to
port 0/4/1 to continue service access, do as follows:
huawei(config)#protect-group 0 protect-target EPON-uni-port workmode timedelay
huawei(protect-group-0)#protect-group member port 0/4/0 role work

B
Ont SoftwareVersion : V1R1C01SPC033
Ont EquipmentID
: EchoLife:HG850a
Ont autofind time
: 2009-10-24 14:59:10
-----------------------------------------------------------------------huawei(config-if-gpon-0/5)#ont confirm 1 ontid 1 sn-auth 32303131D659FD40
omci
ont-lineprofile-id 10 ont-srvprofile-id 10 desc HG850a
NOTE
l After the ONT is added.
l In this example. Considering the
HG8240 as an example. run
the display ont capability command to query the actual ONT capabilities and then based
on the queried ONT capabilities.
7.
huawei(config)#interface gpon 0/5
huawei(config-if-gpon-0/5)#port 1 ont-auto-find enable
huawei(config-if-gpon-0/5)#display ont autofind 1
-----------------------------------------------------------------------Number
: 1
F/S/P
: 0/5/1
Ont SN
: 32303131D659FD40
Password
:
VenderID
: HWTC
Ont Version
: HG850aGTH.
8. it is recommended that you run the display ont info command to
query the ONT status. run the commit command to make the configuration take effect before
the system quits the profile mode. and the bound ONT service profile ID is 10.SmartAX MA5600T Multi-service Access Module
Commissioning and Configuration Guide
9 Configuration Example of the FTTH Service
huawei(config-gpon-lineprofile-10)#commit
huawei(config-gpon-lineprofile-10)#quit
NOTE
After a profile is configured.
Configure an ONT service profile. the management mode is OMCI. the SN is
32303131D659FD40. The ID of the
VLAN to which ETH port 1 belongs is 10.
9.
The service profile type must be the same as the actual ONT type. add a proper ONT profile and a proper ONT.
420
..
The default alarm profile (profile 1) is adopted.
Add an ONT. ensure that Config State of the ONT is normal and
Match State is match. The ONT ID is 1. the bound ONT line profile
ID is 10. configure four ETH ports and two POTS ports. run the commit command to make the configuration take effect before
the system quits the profile mode. the method of confirming the automatically discovered ONT is used.
NOTE
l You can run the ont add command to add an ONT offline or run the ont confirm command to
confirm an automatically discovered ONT.
huawei(config)#ont-srvprofile gpon profile-id 10
huawei(config-gpon-srvprofile-10)#ont-port eth 4 pots 2
huawei(config-gpon-srvprofile-10)#port vlan eth 1